Re: IIS7 on Server 2008 Domain Controller

Actually, scripts/binaries of KB articles are usually the least tested
code from Microsoft.

KB articles, associated hotfixes, and accompanying scripts tend to be
HIGHLY focused on getting a fix out FAST and CORRECT to the customer,
with comprehensive applicability being sacrificed. That's not to say
the work is quick and trashy -- there is effort to make sure it works
and is supportable, but it may not account for all possible situations
in the world.

Yes, one can discuss the script in Technet Forums, but that tends to
only help yourself and no one else. Without reporting failures to
Microsoft, you simply condemn other users to follow the same path as
you -- which ultimately means that you are actually misusing people's
time discussing the issue in a forum because it does not address the
root issue. Sure, it gets you fixed and on your way, but what about
the thousands following you? You may not care because it doesn't
affect you, but it affects those of us that answer questions. This is
why I recommend doing the right thing for yourself and others the
first time so that you get your situation resolved and it helps
everyone else out. It's a win-win for everyone, vs just a win for you
and lose for everyone else.

IIS7 no longer creates/uses any IUSR_user account for anonymous
access. It is using a built-in IUSR user of Windows Server 2008 by
default. This is why using an older DC condemns you to seeing no
improvements.

As for domain functional level -- the script detected Windows Server
2008 which clearly conflicts with what you are seeing. Yet another
reason to contact support to look at the script.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Nov 3, 5:11 am, Steven Cools
<StevenCo...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
since the script resulted in an error (and i thought it would've been well
tested by MS) i tried the following:

i transferred all the fsmo roles from the old 2K DC to the new 2K8 DC,
uninstalled SQL 2005, removed the IIS role and added it again after rebooting.
i now have the group IIS_IUSRS but it's empty (no IUSR_ account)
and when running the script i now get a different eror:
"domain is already operating in a mode higher than Windows Server 2003 mode.
Stopping script execution"

i checked my domain functional level and it is still "Windows 2000 native".

any ideas?

S.

PS: David, since the script is already from december 2007 i assume the
technet forums are a right place for questions/problems like these, no?



"David Wang" wrote:
On Oct 30, 3:38 am, Steven Cools
<StevenCo...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
hello,

i added a new 2008 server to my 2000 domain (with 2000 and 2003 DC's) and
made it a DC.
then i wanted to install WSUS 3 on this new 2008 DC.
therefore i installed SQL 2005 and IIS 7.
i now have the -known- problem that the IUSR_ accounts are not registering
in AD.
the solution would be to run a .js script
(http://support.microsoft.com/kb/946139)

BUT, when running this script (SamUpgradeTask.js) on my 2008 DC i get the
following error:
"the directory property cannot be found in the cache" on line 52.

anyone any ideas?

cheers,
Steven.

You should contact Microsoft PSS regarding support for the KB article.
That way, if there is a problem in the script, Microsoft knows to fix
it, and it helps everyone out, instead of just you if we resolve it
here.

For the most part, the problems are because you have older DCs and
thus constrain IIS7 to have the same problems installing on DCs as
prior versions. If/When you migrate forward, these issues go away.
IIS7 uses a built-in IUSR account to Windows Server 2008, which means
that all those issues with password expiration, accidentally denial of
anonymous auth user of IIS, user/ACL synchronization across multiple
machines, etc are no longer possible -- but with an old DC, all those
issues remain in addition to new issues mentioned in the KB.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -

- Show quoted text -
.

Relevant Pages

  • Protecting against dDOS bots (was: Newbie php problem)
    ... The form mail script posted that was used, ... requires the applicant to pass some kind of Turing test, ... Turing test if the account balance ever drops to zero. ... Log into the same account repeatedly, which consumes your credit ...
    (alt.php)
  • Re: Entourage account setup applescript not working
    ... I pasted the script at the end just in case. ... When comparing the account settings on 2 computers, ... This script assists a user with the setup of his Exchange account ... Customize the network and server properties below with information ...
    (microsoft.public.mac.office.entourage)
  • Re: Error 15401 using sp_grantlogin (not addressed by current KB articles)
    ... Restarting Windows 2000 resolved the problem for this particular account, ... confused when it sees a duplicate SID. ... > One way to get SQL Server to agree with the renamed NT ... > Preview (to ensure the script was created), ...
    (microsoft.public.sqlserver.security)
  • Re: I thought user security was a holy grail
    ... Then choose Script Encoder ... Then change YourPasswordHere to your account password. ... > create a custom border in publisher. ... > Microsoft reads this GET A CLUE. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Local account creation
    ... While this script works fine for my 2003 environment, ... use the script in a startup GPO so that there a generic local admin account ... Dim objNetwork, strComputer, strUser ...
    (microsoft.public.windows.server.scripting)